Uploaded byOpenIDFoundation
PPTX, PDF1,337 views

OIDF Workshop at Verizon Media -- 9/30/2019 -- FastFed Working Group Update

The document discusses the challenges of low adoption of single sign-on (SSO) in enterprise settings, particularly due to complex configurations and terminology. It introduces the Fast Federation (FastFed) working group, which aims to simplify the SSO adoption process without replacing existing protocols like SAML and OIDC. FastFed streamlines the configuration and registration experience between identity providers and service providers to enhance user provisioning and authentication processes.

Embed presentation

Download to read offline
® FAST FED A NEW STANDARD TO SIMPLIFY SSO ADOPTION Erik Gustavson, Engineering Manager, Google Darin McAdams, Principal Engineer, AWS
® The Problem Low adoption of federation in enterprise settings
® The Problem Low adoption of federation in enterprise settings Why? It’s hard to configure.
®
® 44 STEPS
® Strange Terminology Entity ID ACS URLIdP Metadata Signed Responses Name ID Mapping Certificate Downloads
® User Attribute Mappings • FirstName • first_name • f_name • GivenName • given_name • givenName App wants:You have:
® User Provisioning
® User Provisioning More terminology! More to configure! JIT SCIM User Lifecycle Management
® The Results Error: Could not validate SAML response
® Finally, Success!
® Finally, Success! Until 1 year later…
® Finally, Success! Until 1 year later… Security Certificate Expired!
® Lots of Pain System Administrator Budget 1-2 weeks to configure SSO to each application Identity Providers Each app is different. Custom integration & documentation. Service Providers Getting into Identity Provider catalogs. Not self-service. What should I be doing!?
® Today’s Registration Experience Identity Provider Service Provider Copy/Paste Copy/Paste Admin
® Desired Registration Experience Identity Provider Service Provider Admin
® Fast Federation (FastFed) Working Group
® How does FastFed work? • Does NOT replace SAML, OIDC, SCIM… • DOES orchestrate the configuration of them
® Message Flows Identity Provider Service Provider
® Message Flows Identity Provider Service Provider
® Message Flows Identity Provider Service Provider alice@company.com
® Message Flows Identity Provider Service Provider alice@company.com
® Message Flows Identity Provider Service Provider alice@company.com Company.com GET https://_well-known.company.com/webfinger
® Message Flows Identity Provider Service Provider Company.com "https://tenant-12345.idp.com/fastfed"
® Message Flows Identity Provider Service Provider "https://tenant-12345.idp.com/fastfed"
® Message Flows Identity Provider Service Provider "https://tenant-12345.idp.com/fastfed" Get Metadata
® HTTP/1.1 200 OK Content-Type: application/json { "identity_provider": { "provider_domain": ”idp.com", "tenant_id": "tenant-12345", ”display name": ”Identity Provider”, ”display_images": { "large_icon_uri": "https://idp.com/images/tile.png", } "capabilities": { "authentication_profiles": [ "urn:ietf:params:fastfed:1.0:authentication:SAML:Basic", ], "provisioning_profiles":[ "urn:ietf:params:fastfed:1.0:provisioning:SCIM:FullLifeCycle" ], "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User" ], } "jwks_uri": "https://idp.com/fastfed/keys", "fastfed_handshake_start_uri": "https://tenant-12345.idp.com/fastfed/start", } Message Flows Identity Provider Service Provider
® HTTP/1.1 200 OK Content-Type: application/json { "identity_provider": { "provider_domain": ”idp.com", "tenant_id": "tenant-12345", ”display name": ”Identity Provider”, ”display_images": { "large_icon_uri": "https://idp.com/images/tile.png", } "capabilities": { "authentication_profiles": [ "urn:ietf:params:fastfed:1.0:authentication:SAML:Basic", ], "provisioning_profiles":[ "urn:ietf:params:fastfed:1.0:provisioning:SCIM:FullLifeCycle" ], "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User" ], } "jwks_uri": "https://idp.com/fastfed/keys", "fastfed_handshake_start_uri": "https://tenant-12345.idp.com/fastfed/start", } Message Flows Identity Provider Service Provider
® HTTP/1.1 200 OK Content-Type: application/json { "identity_provider": { "provider_domain": ”idp.com", "tenant_id": "tenant-12345", ”display name": ”Identity Provider”, ”display_images": { "large_icon_uri": "https://idp.com/images/tile.png", } "capabilities": { "authentication_profiles": [ "urn:ietf:params:fastfed:1.0:authentication:SAML:Basic", ], "provisioning_profiles":[ "urn:ietf:params:fastfed:1.0:provisioning:SCIM:FullLifeCycle" ], "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User" ], } "jwks_uri": "https://idp.com/fastfed/keys", "fastfed_handshake_start_uri": "https://tenant-12345.idp.com/fastfed/start", } Message Flows Identity Provider Service Provider
® HTTP/1.1 200 OK Content-Type: application/json { "identity_provider": { "provider_domain": ”idp.com", "tenant_id": "tenant-12345", ”display name": ”Identity Provider”, ”display_images": { "large_icon_uri": "https://idp.com/images/tile.png", } "capabilities": { "authentication_profiles": [ "urn:ietf:params:fastfed:1.0:authentication:SAML:Basic", ], "provisioning_profiles":[ "urn:ietf:params:fastfed:1.0:provisioning:SCIM:FullLifeCycle" ], "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User" ], } "jwks_uri": "https://idp.com/fastfed/keys", "fastfed_handshake_start_uri": "https://tenant-12345.idp.com/fastfed/start", Message Flows Identity Provider Service Provider
® HTTP/1.1 200 OK Content-Type: application/json { "identity_provider": { "provider_domain": ”idp.com", "tenant_id": "tenant-12345", ”display name": ”Identity Provider”, ”display_images": { "large_icon_uri": "https://cloudprovider.com/images/tile.png", } "capabilities": { "authentication_profiles": [ "urn:ietf:params:fastfed:1.0:authentication:SAML:Basic", ], "provisioning_profiles":[ "urn:ietf:params:fastfed:1.0:provisioning:SCIM:FullLifeCycle" ], "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User" ], } "jwks_uri": "https://idp.com/fastfed/keys", "fastfed_handshake_start_uri": "https://tenant-12345.idp.com/fastfed/start", } Message Flows Identity Provider Service Provider
® HTTP/1.1 200 OK Content-Type: application/json { "identity_provider": { "provider_domain": ”idp.com", "tenant_id": "tenant-12345", ”display name": ”Identity Provider”, ”display_images": { "large_icon_uri": "https://cloudprovider.com/images/tile.png", } "capabilities": { "authentication_profiles": [ "urn:ietf:params:fastfed:1.0:authentication:SAML:Basic", ], "provisioning_profiles":[ "urn:ietf:params:fastfed:1.0:provisioning:SCIM:FullLifeCycle" ], "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User" ], } "jwks_uri": "https://idp.com/fastfed/keys", "fastfed_handshake_start_uri": "https://tenant-12345.idp.com/fastfed/start", } Message Flows Identity Provider Service Provider
® Message Flows Identity Provider Service Provider Pending Registration • IdP • Tenant ID • Public Key • Expiration Date
® Message Flows Identity Provider Service Provider Pending Registration • IdP • Tenant ID • Public Key • Expiration Date HTTP REDIRECT
® Message Flows Identity Provider Service Provider Pending Registration • IdP • Tenant ID • Public Key • Expiration Date HTTP REDIRECT includes location of Service configuration
® HTTP/1.1 200 OK Content-Type: application/json { ”application_provider": { "provider_domain": ”service.com", "tenant_id": "tenant-67890", ”display name": ”Service Provider”, ”display_images": { "large_icon_uri": "https://app.com/images/tile.png", } "capabilities": { "authentication_profiles": [ "urn:ietf:params:fastfed:1.0:authentication:SAML:Basic", ], "provisioning_profiles":[ "urn:ietf:params:fastfed:1.0:provisioning:SCIM:FullLifeCycle" ], "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User" ], } … Message Flows Identity Provider Service Provider Pending Registration • IdP • Tenant ID • Public Key • Expiration Date HTTP REDIRECT includes location of Service configuration
® Message Flows Identity Provider Service Provider Pending Registration • IdP • Tenant ID • Public Key • Expiration Date • Authenticate
® Message Flows Identity Provider Service Provider Pending Registration • IdP • Tenant ID • Public Key • Expiration Date • Authenticate • Confirm
® Message Flows Identity Provider Service Provider Pending Registration • IdP • Tenant ID • Public Key • Expiration Date • Authenticate • Confirm • (Optional) Reviews and Approvals
® Message Flows Identity Provider Service Provider Pending Registration • IdP • Tenant ID • Public Key • Expiration Date • Authenticate • Confirm • (Optional) Reviews and Approvals
® Message Flows Identity Provider Service Provider Pending Registration • IdP • Tenant ID • Public Key • Expiration Date Complete Registration • SAML/OIDC Metadata • SCIM Metadata • OAuth ClientID/Secret
® Message Flows Identity Provider Service Provider Pending Registration • IdP • Tenant ID • Public Key • Expiration Date Complete Registration • SAML/OIDC Metadata • SCIM Metadata • OAuth ClientID/Secret JWT, signed with private key
® Message Flows Identity Provider Service Provider Pending Registration • IdP • Tenant ID • Public Key • Expiration Date Complete Registration • SAML/OIDC Metadata • SCIM Metadata • OAuth ClientID/Secret JWT, signed with private key Valid?
® Message Flows Identity Provider Service Provider Pending Registration • IdP • Tenant ID • Public Key • Expiration Date Complete Registration • SAML/OIDC Metadata • SCIM Metadata • OAuth ClientID/Secret JWT, signed with private key Valid?
® Message Flows Identity Provider Service Provider• SAML/OIDC Metadata • SCIM Metadata • OAuth ClientID/Secret Response
® Message Flows Identity Provider Service Provider • SAML/OIDC Metadata • SCIM Metadata • OAuth ClientID/Secret • SAML/OIDC Metadata • SCIM Metadata • OAuth ClientID/Secret DONE!
® Working Group Members • ADP • AWS • Google • Microsoft • Okta • SailPoint • Salesforce • and growing…
® Since Identiverse
® Since Identiverse • Closing out remaining issues
® Since Identiverse • Closing out remaining issues, e.g. • IGA Providers
® Since Identiverse • Closing out remaining issues, e.g. • IGA Providers • Provider Authentication
® Since Identiverse • Closing out remaining issues, e.g. • IGA Providers • Provider Authentication • Wordsmithing…
® Since Identiverse • Closing out remaining issues, e.g. • IGA Providers • Provider Authentication • Wordsmithing… • Production timelines?
® Since Identiverse • Closing out remaining issues, e.g. • IGA Providers • Provider Authentication • Wordsmithing… • Production timelines? • Lesson from demo -> UX

More Related Content

PDF
OpenID Certification Program Update - 2018-04-02
byMikeLeszcz
 
PDF
OpenID Foundation Workshop at EIC 2018 - OpenID Certification Update
byMikeLeszcz
 
PDF
OIDF Workshop at European Identity Conference 2019 -- 5/14/2019 -- OpenID Cer...
byOpenIDFoundation
 
PPTX
OpenID Foundation FastFed Working Group Update - 2017-10-16
byMikeLeszcz
 
PDF
OIDF Workshop 4/29/2019 -- OpenID Certification Update
byOpenIDFoundation
 
PPTX
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Certification Program U...
byOpenIDFoundation
 
PPTX
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Working Group U...
byOpenIDFoundation
 
PDF
OpenID Foundation Workshop at EIC 2018 - OpenID Connect Working Group Update
byMikeLeszcz
 
OpenID Certification Program Update - 2018-04-02
byMikeLeszcz
 
OpenID Foundation Workshop at EIC 2018 - OpenID Certification Update
byMikeLeszcz
 
OIDF Workshop at European Identity Conference 2019 -- 5/14/2019 -- OpenID Cer...
byOpenIDFoundation
 
OpenID Foundation FastFed Working Group Update - 2017-10-16
byMikeLeszcz
 
OIDF Workshop 4/29/2019 -- OpenID Certification Update
byOpenIDFoundation
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Certification Program U...
byOpenIDFoundation
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Working Group U...
byOpenIDFoundation
 
OpenID Foundation Workshop at EIC 2018 - OpenID Connect Working Group Update
byMikeLeszcz
 

What's hot

PDF
Enterprise Single Sign On
byWSO2
 
PPTX
Building secure applications with keycloak
byAbhishek Koserwal
 
PPTX
OpenID Connect and Single Sign-On for Beginners
bySalesforce Developers
 
PDF
OpenID Foundation RISC WG Update - 2018-04-02
byMikeLeszcz
 
PDF
OIDF Workshop at Verizon Media -- 9/30/2019 -- Continuous Access Evaluation P...
byOpenIDFoundation
 
PPTX
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
byBrian Campbell
 
PDF
OpenID Foundation Workshop at EIC 2018 - Mobile Driver's License Presentantion
byMikeLeszcz
 
PPTX
OpenID Foundation Workshop at EIC 2018 - MODRNA Working Group Update
byMikeLeszcz
 
PDF
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation Update
byOpenIDFoundation
 
PDF
OpenID Connect "101" Introduction -- October 23, 2018
byOpenIDFoundation
 
PDF
OpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
byMikeLeszcz
 
PDF
Enterprise Security Requirements
byWSO2
 
PDF
OpenID Certification Program Update - 2017-10-16
byMikeLeszcz
 
PDF
OpenID Foundation Connect Working Group Update - October 22, 2018
byOpenIDFoundation
 
PDF
OpenID Foundation RISC WG Update - 2017-10-16
byMikeLeszcz
 
PDF
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...
byMikeLeszcz
 
PPTX
OpenID Foundation MODRNA WG Update
byBjorn Hjelm
 
PDF
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...
byOpenIDFoundation
 
PDF
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...
byOpenIDFoundation
 
PPTX
OIDF Workshop at European Identity Conference 2019 -- 5/14/2019 -- FAPI Certi...
byOpenIDFoundation
 
Enterprise Single Sign On
byWSO2
 
Building secure applications with keycloak
byAbhishek Koserwal
 
OpenID Connect and Single Sign-On for Beginners
bySalesforce Developers
 
OpenID Foundation RISC WG Update - 2018-04-02
byMikeLeszcz
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- Continuous Access Evaluation P...
byOpenIDFoundation
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
byBrian Campbell
 
OpenID Foundation Workshop at EIC 2018 - Mobile Driver's License Presentantion
byMikeLeszcz
 
OpenID Foundation Workshop at EIC 2018 - MODRNA Working Group Update
byMikeLeszcz
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation Update
byOpenIDFoundation
 
OpenID Connect "101" Introduction -- October 23, 2018
byOpenIDFoundation
 
OpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
byMikeLeszcz
 
Enterprise Security Requirements
byWSO2
 
OpenID Certification Program Update - 2017-10-16
byMikeLeszcz
 
OpenID Foundation Connect Working Group Update - October 22, 2018
byOpenIDFoundation
 
OpenID Foundation RISC WG Update - 2017-10-16
byMikeLeszcz
 
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...
byMikeLeszcz
 
OpenID Foundation MODRNA WG Update
byBjorn Hjelm
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...
byOpenIDFoundation
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...
byOpenIDFoundation
 
OIDF Workshop at European Identity Conference 2019 -- 5/14/2019 -- FAPI Certi...
byOpenIDFoundation
 

Similar to OIDF Workshop at Verizon Media -- 9/30/2019 -- FastFed Working Group Update

PDF
Practical Federated Identity
byWSO2
 
PDF
WSO2 Identity Server - Product Overview
byWSO2
 
PDF
Introducing Salesforce Identity
bySalesforce Developers
 
PPTX
unit 1 Federated Identity Management_4.pptx
byzmulani8
 
PDF
Identity Federation Patterns with WSO2 Identity Server​
byWSO2
 
PPTX
WSO2Con USA 2014 - Identity Server Tutorial
byPrabath Siriwardena
 
PDF
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds
byCloudIDSummit
 
PPT
Fédération d’identité : des concepts Théoriques aux études de cas d’implément...
bye-Xpert Solutions SA
 
PDF
Patterns and Antipatterns in Enterprise Security
byWSO2
 
PDF
Five Things You Gotta Know About Modern Identity
byMark Diodati
 
PPTX
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
byMichael Noel
 
PDF
Securing your Applications for the Cloud Age
byArtur Alves
 
PPTX
IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION
byForgeRock
 
PPTX
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
byMichael Noel
 
PPT
Identity Federation on JBossAS
byRoger CARHUATOCTO
 
PDF
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
byCloudIDSummit
 
PPT
Web-services
bywebhostingguy
 
PDF
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
byProfesia Srl, Lynx Group
 
PDF
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...
byXamarin
 
PDF
A model for privacy-enhance federated identity management
byrhoerbe1
 
Practical Federated Identity
byWSO2
 
WSO2 Identity Server - Product Overview
byWSO2
 
Introducing Salesforce Identity
bySalesforce Developers
 
unit 1 Federated Identity Management_4.pptx
byzmulani8
 
Identity Federation Patterns with WSO2 Identity Server​
byWSO2
 
WSO2Con USA 2014 - Identity Server Tutorial
byPrabath Siriwardena
 
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds
byCloudIDSummit
 
Fédération d’identité : des concepts Théoriques aux études de cas d’implément...
bye-Xpert Solutions SA
 
Patterns and Antipatterns in Enterprise Security
byWSO2
 
Five Things You Gotta Know About Modern Identity
byMark Diodati
 
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
byMichael Noel
 
Securing your Applications for the Cloud Age
byArtur Alves
 
IAM/IRM CONSIDERATIONS FOR SAAS PROVIDER SELECTION
byForgeRock
 
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
byMichael Noel
 
Identity Federation on JBossAS
byRoger CARHUATOCTO
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
byCloudIDSummit
 
Web-services
bywebhostingguy
 
#3 Wso2 masterclassitalia - wso2 Identity Server: must-have per gestire le id...
byProfesia Srl, Lynx Group
 
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...
byXamarin
 
A model for privacy-enhance federated identity management
byrhoerbe1
 

More from OpenIDFoundation

PDF
OpenID Foundation Certification Program Update - October 22, 2018
byOpenIDFoundation
 
PPTX
OpenID Foundation iGov Working Group Update - October 22, 2018
byOpenIDFoundation
 
PDF
OIDF Workshop at Verizon Media -- 9/30/2019 -- Research & Education Working G...
byOpenIDFoundation
 
PPTX
OpenID Foundation Research & Education Working Group Update - October 22, 2018
byOpenIDFoundation
 
PDF
OIDF Workshop 4/29/2019 -- OpenID Research & Education Working Group Update
byOpenIDFoundation
 
PDF
OIDF Workshop at European Identity Conference 2019 -- 5/14/2019 -- FAPI Certi...
byOpenIDFoundation
 
PPTX
OIDF Virtual Workshop -- 5/21/2020 -- OpenID Certification Program Update
byOpenIDFoundation
 
OpenID Foundation Certification Program Update - October 22, 2018
byOpenIDFoundation
 
OpenID Foundation iGov Working Group Update - October 22, 2018
byOpenIDFoundation
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- Research & Education Working G...
byOpenIDFoundation
 
OpenID Foundation Research & Education Working Group Update - October 22, 2018
byOpenIDFoundation
 
OIDF Workshop 4/29/2019 -- OpenID Research & Education Working Group Update
byOpenIDFoundation
 
OIDF Workshop at European Identity Conference 2019 -- 5/14/2019 -- FAPI Certi...
byOpenIDFoundation
 
OIDF Virtual Workshop -- 5/21/2020 -- OpenID Certification Program Update
byOpenIDFoundation
 

Recently uploaded

PDF
Oracle Services Company in Riyadh - Grey Space Computing
byseoconsultantandy
 
PPTX
Universidad Internacional Villanueva Transcripts
bynxv6x4gd42
 
PPTX
Cloud Computing ppt - SP.pptx by ankit kumar gurjar
byankitingame
 
PDF
Meta (Facebook) Extracts Hundreds of Billions of Wealth from European Citizens
byJulieMeyer42
 
PDF
The Guide on how to pray the rosary and the mysteries.pdf
byGianneCarloIway
 
PDF
Why Some Online Profiles Cannot Be Found in Search Results
bySocial Searcher
 
PDF
Guide: Essential Google Search Operators
bySocial Searcher
 
PPTX
7G (7th generation of technology) seminar presentation
bymitalijally6
 
PDF
Mastering ROS 2 for Robotics Programming.pdf
byssuser4e6c051
 
PPT
The Digital Opportunities Taskforce: How to Govern the Internet
byJeffrey Hart
 
Oracle Services Company in Riyadh - Grey Space Computing
byseoconsultantandy
 
Universidad Internacional Villanueva Transcripts
bynxv6x4gd42
 
Cloud Computing ppt - SP.pptx by ankit kumar gurjar
byankitingame
 
Meta (Facebook) Extracts Hundreds of Billions of Wealth from European Citizens
byJulieMeyer42
 
The Guide on how to pray the rosary and the mysteries.pdf
byGianneCarloIway
 
Why Some Online Profiles Cannot Be Found in Search Results
bySocial Searcher
 
Guide: Essential Google Search Operators
bySocial Searcher
 
7G (7th generation of technology) seminar presentation
bymitalijally6
 
Mastering ROS 2 for Robotics Programming.pdf
byssuser4e6c051
 
The Digital Opportunities Taskforce: How to Govern the Internet
byJeffrey Hart
 

OIDF Workshop at Verizon Media -- 9/30/2019 -- FastFed Working Group Update

Editor's Notes

  • #3 Despite existence of standards like SAML or OIDC, many apps see low federation rates. Not unusual to see percentages in the single digits, or low double-digits. Customers choose to create yet-another-login-and-password instead of SSO.
  • #4 The reason: Configuring SSO is hard! Let’s look at a typical experience…
  • #5 44 steps to configure SSO from GSuite->AWS. This isn’t unusual.
  • #6 44 steps to configure SSO from GSuite->AWS. This isn’t unusual.
  • #7 If you’ve never setup SSO before, you are immediately confused by strange words. “ACS URL? What is an ACS URL?”
  • #8 You need to be a translator between applications
  • #9 Besides SSO, how do you create user accounts in the application?
  • #10 More concepts! JIT, SCIM, Lifecycle
  • #11 After configuring… this is what happens. It doesn’t work. Maybe a typo, or accidentally copied the wrong value? No helpful logging. Calling tech support.
  • #12 Finally, you get it working
  • #13 Until 1 year later. Guess what happens after a year
  • #14 SAML certificate expiration. Now the system is broken again.
  • #15 Service Providers have no easy way to add themselves to app catalogs managed by the dentity Providers. They ask the Identity experts: “You made all these standards. Please, tell us what to do!” EVERYONE IS MISERABLE.
  • #16 What’s happening – a human is copying and pasting between systems. They have 4 browser windows open. The problem - humans are the most unreliable, error-prone data bus we could have chosen.
  • #17 To solve it, how do we let computers talk to each other? Behind the scenes, same standards. But, computers exchange the configuration programmatically.
  • #18 This was the goal of the FastFed working group. Later, we’re going to show how it works. But first, let’s show you the new experience.
  • #19 Does orchestrate their configuration. Sort of a control plane, and opinionated requirements for interoperability.
  • #20 Aliright, In the N minutes remaining, here’s a whirlwind tour of what’s happening behind the scenes. This is going to be FAST. Gives a taste. Toward the end, we’ll talk about where to learn more if it piques your interest.
  • #21 The flow starts at the service. Someone has administrative privileges there, and wants to setup SSO. First question – what is their Identity Provider?
  • #22 FastFed has a couple ways to solve this. The best user experience, and the one I’ll show here, uses their email address. In this case, the service has asked Alice for her email.
  • #23 Based on the email, we can take the domain name
  • #24 And, if the company has configured it, make a request to a well-known location to bootstrap. Uses an existing protocol names WebFinger, if you are familiar with it. (Although, we had to change WebFinger a little. )
  • #25 We get back a location. This tells us where to find the FastFed configuration for Alice. The URL could be anything, just a place to go next.
  • #26 Next the service can take this URL…
  • #27 And make a call to retrieve the FastFed Metadata for Alice and her organization
  • #28 What comes back is a whole lot of information. We won’t go through every detail, but a few highlights…
  • #29 It includes capabilities
  • #30 Here, we see this provider wants to use SAML and SCIM with a certain user schema. Another provider could prefer OpenID Connect, for example. This describes those preferences and capabilities.
  • #31 We see some metadata. Things like unique IDs. Or, display names and images.
  • #32 There’s also a public key. This will come in later. Just for now - remember – here’s where the service learns the public key for the Identity Provider.
  • #33 Finally, a URL that points us to the next step in the handshake.
  • #34 The service captures some of this information into a whitelist. The IDs, the public key. At this point, the service halts. It’s got a half-completed registration. Next step is to hand-off to the Identity Provider to finish the job.
  • #35 There’s a couple ways to do this handoff, but in practice, an HTTP Redirect will be the most common. Alice is redirected to her Identity Provider using the endpoints discovered earlier.
  • #36 I’m skipping over it here for time, but the redirect includes parameters for the Identity Provider to learn an equivalent set of metadata about the service. What SSO protocols does it support? What user attributes does it need?
  • #37 I’m skipping over it here for time, but the redirect includes parameters for the Identity Provider to learn an equivalent set of metadata about the service. What SSO protocols does it support? What user attributes does it need?
  • #38 The Identity Provider will authenticate Alice
  • #39 It will confirm she really wants to configure SSO into the service.
  • #40 Then, at some organizations, this will go into a security queue for approval. This is common, where even though Alice administers the service instance, the organization wants a little scrutiny before anyone in the company can launch 3rd party applications for org-wide use.
  • #41 Finally, everything’s approved.
  • #42 We’re ready to finish. Behind the scenes, the Identity Provider will make an HTTP request to complete the registration. Finally, the services begin exchanging metadata to for those protocols. This is the same information you were previously copying-and-pasting manually. BUT, how does the service know the call is allowed? We can’t permit a random IdP to register.
  • #43 To handle this, the Identity Provider signs the message using it’s public key.
  • #44 The service can validate. Does this match a pending registration? Signed with the right key?
  • #45 If everything looks OK, the service accepts it. Captures the metadata from the Identity Provider.
  • #46 Then, it responds with it’s own Metadata
  • #47 And we’re done. What happened - apps exchanged the same metadata that human beings were copying-and-pasting before. FastFed workflow creates the trust and communication channels. They can periodically resync to get updates, like SAML certificate rotation.
  • #48 All the specs are online. This isn’t just Google+AWS. We want everyone to have this experience. Interested? Get involved.
  • #49 All the specs are online. This isn’t just Google+AWS. We want everyone to have this experience. Interested? Get involved.
  • #50 All the specs are online. This isn’t just Google+AWS. We want everyone to have this experience. Interested? Get involved.
  • #51 All the specs are online. This isn’t just Google+AWS. We want everyone to have this experience. Interested? Get involved.
  • #52 All the specs are online. This isn’t just Google+AWS. We want everyone to have this experience. Interested? Get involved.
  • #53 All the specs are online. This isn’t just Google+AWS. We want everyone to have this experience. Interested? Get involved.
  • #54 All the specs are online. This isn’t just Google+AWS. We want everyone to have this experience. Interested? Get involved.
  • #55 All the specs are online. This isn’t just Google+AWS. We want everyone to have this experience. Interested? Get involved.